b'                                                        (j~ SECu\n                                                              ~\n                                                       ~\n                                                       \\h~1I1111~~\n                                                         -vIST\'j.J..\n                                       SOCIAL               SECURITY\n                                           Office of the Inspector         General\nMEMORANDUM\nDate:      May 30,      2001                                                                      Refer   To:   ICN   31150-23-162\n\n           Larry G. Massanari\nTo:        Acting Commissioner\n\n             of Social Security\n\n           I nspector   General\n\n\n\n\nSubject:   Review of the Social Security    Administration\'s          Office of Child Support             Enforcement         Pilot\n           Evaluation (A-O1-00-20006)\n\n\n\n           The attached final report presents the results of our evaluation. Our objective was to\n           determine whether the Social Security Administration\'s assessment of the benefits and\n           risks of using online, read-only access to Office of Childhood Support Enforcement data\n           was accurate and complete.\n\n           Please comment within 60 days from the date of this memorandum on corrective action\n           taken or planned on each recommendation. If you wish to discuss the final report,\n           please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector\n           General for Audit, at (410) 965-9700.\n\n\n\n\n                                                           ~~.-.<--\n                                                                       James   G.   Huse,   Jr.\n\n\n           Attachment\n\x0c           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n      REVIEW OF THE SOCIAL\n    SECURITY ADMINISTRATION\xe2\x80\x99S\n     OFFICE OF CHILD SUPPORT\n       ENFORCEMENT PILOT\n           EVALUATION\n\n   May 2001          A-01-00-20006\n\n\n\nEVALUATION REPORT\n\n\n\n\n\n                .\n\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\xbf\xbd Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\xbf\xbd Promote economy, effectiveness, and efficiency within the agency.\n  \xef\xbf\xbd Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\xbf\xbd Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\xbf\xbd Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n\n  \xef\xbf\xbd Independence to determine what reviews to perform.\n\n  \xef\xbf\xbd Access to all information necessary for the reviews.\n\n  \xef\xbf\xbd Authority to publish findings and recommendations based on the reviews.\n\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                                 Executive Summary\n\nOBJECTIVE\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\nassessment of the benefits and risks of using online, read-only access to the Office of\nChildhood Support Enforcement (OCSE) data was accurate and complete.\n\nBACKGROUND\nIn accordance with section 316 of the Personal Responsibility and Work Opportunity\nReconciliation Act of 1996 (Public Law 104-193), the Department of Health and Human\nServices\xe2\x80\x99 OCSE developed a database, known as the National Directory of New Hires\n(NDNH), to aid in enforcing child support orders. This Act, as well as the Privacy Act,\nalso provide for the disclosure of the information in the NDNH database to SSA for its\nuse in preventing and reducing payment errors. The NDNH contains:\n\n   1. a registry of all newly hired employees in the nation;\n   2. quarterly wage information; and\n   3. quarterly unemployment compensation information.\n\nOCSE data has been shared with SSA for quarterly computer matches since 1998. In\naddition to this quarterly matching, SSA implemented online access to the NDNH in all\nits field offices (FO) during the first quarter of calendar year (CY) 2001. The query is\ndesigned to give FO staff online, read-only access to limited wage, new hire and\nunemployment information for those individuals who have filed for Supplemental\nSecurity Income (SSI) benefits.\n\nBefore establishing this access nationwide, SSA piloted access to the NDNH in 50 FOs.\nThe pilot period was from May 8, 2000 through June 30, 2000 and allowed SSA\npersonnel to query the NDNH database online. The purpose of the pilot was to test the\naccess controls, monitor the impact the query has on OCSE operations, and determine\nthe impact of the query on payment accuracy under the SSI program.\n\nDuring the pilot, SSA staff used OCSE data to assess whether claimants for SSI\nbenefits had unreported income. Current means of verification are done after\nindividuals are receiving SSI payments. Verifying wages and other income before\ndeciding whether an applicant is eligible for SSI is expected to improve payment\naccuracy for SSA, reducing both overpayments and underpayments to recipients. In\naddition, it is expected to reduce the number of overpayment recovery activities SSA\nmust process.\n\nDuring development of SSA\xe2\x80\x99s query access, OCSE staff expressed concerns that SSA\xe2\x80\x99s\nquerying OCSE data would compromise the confidentiality of the data and/or create a\nperception that data in the NDNH is no longer confidential. OCSE staff were concerned\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                      i\n\x0cthat such a perception could, in turn, jeopardize OCSE\xe2\x80\x99s use of the Federal Parent\nLocator Service. The U.S. Office of Management and Budget also shared OCSE\xe2\x80\x99s\nconcerns. As a result of these concerns, the Office of the Inspector General was\nrequested to conduct an independent assessment of SSA\xe2\x80\x99s OCSE pilot evaluation.\n\nRESULTS OF REVIEW\nOur review tested specific features of system security over the OCSE query and\nassessed SSA\xe2\x80\x99s calculation of return on investment (ROI) from OCSE data access.\n\nSystem Security\n\nWe found two vulnerabilities with SSA\xe2\x80\x99s OCSE permission module which was\ndeveloped to ensure that SSA staff could only access records with an SSI business\nrelationship. Contrary to access specifications, our tests showed that authorized FO\npersonnel could:\n\n\xe2\x80\xa2\t Gain query access for individuals who were not receiving SSI benefits, but who were\n   receiving benefits from SSA under a separate entitlement program. SSA corrected\n   this issue as soon as we brought it to their attention.\n\n\xe2\x80\xa2\t Gain query access for individuals who were representative payees for SSI\n   recipients, but who did not receive SSI benefits themselves. When we brought this\n   to their attention, SSA staff reported that they would take corrective action to\n   implement a system modification prior to the national rollout of the online query.\n\nReturn on Investment\n\nDuring the course of our evaluation, several issues came to our attention regarding the\nROI portion of SSA\xe2\x80\x99s evaluation:\n\n\xe2\x80\xa2\t The FOs involved in the OCSE pilot were not selected randomly. Therefore, SSA\n   was not able to make a statistical projection of ROI based on the pilot results;\n   however, SSA\xe2\x80\x99s report did not identify the ROI as a non-statistical estimate.\n\n\xe2\x80\xa2\t In addition to OCSE data, SSA obtains wage, unemployment, and other data\n   through a data access system known as Social Security Administration Access to\n   State Records Online (SASRO). Under SASRO, SSA negotiates online access to\n   data maintained at State agencies. Many SSA FOs have and use SASRO, including\n   some of the same FOs selected for the OCSE pilot. Since SASRO provides some of\n   the same information as the OCSE query, any savings occurring from the OCSE\n   pilot could possibly have also been obtained through SASRO. Since the possibility\n   of duplicative savings was not built into SSA\xe2\x80\x99s OCSE ROI calculations, the ROI\n   could be overstated or duplicative of savings reported by SSA as a result of SASRO.\n   SSA staff, however, does not believe that the ROI developed during the pilot was\n   inflated.\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                     ii\n\x0cCONCLUSIONS AND RECOMMENDATIONS\nOur review did not identify any issues that would cause us to recommend against SSA\xe2\x80\x99s\nimplementation of the online query in all its FOs. However, during our limited testing of\nSSA\xe2\x80\x99s system security, we identified security weaknesses, which indicated that SSA\nhad not conducted sufficient testing prior to implementing the pilot. Also, we have some\ngeneral concerns regarding SSA\xe2\x80\x99s ROI calculation. In response to our findings, SSA\ninitiated prompt corrective actions to address the security weaknesses we identified.\nAlso, SSA had planned to perform an additional study in 2001 to assess the costs and\nbenefits of nationwide access to the online OCSE query.\n\nWe recommend that SSA:\n\n\xe2\x80\xa2\t continue to monitor and test the security of the OCSE query during the national\n   rollout to ensure access weaknesses do not exist; and\n\n\xe2\x80\xa2\t ensure that the savings reported for SSA\xe2\x80\x99s initiatives for online access under\n   SASRO are factored into its planned ROI analysis of nationwide access to OCSE\n   databases.\n\nAGENCY COMMENTS\nIn response to our draft report, SSA agreed with our first recommendation. With regard\nto our second recommendation, SSA no longer plans to conduct a study to assess the\ncost and benefits of nationwide online OCSE access.\n\nOIG RESPONSE\nSince SSA no longer plans to conduct a nationwide ROI study, when disclosing the\nresults of the ROI based on the pilot, SSA should note that the ROI is not a statistical\nprojection and may duplicate reported savings from SASRO.\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                      iii\n\x0c                                                                    Table of Contents\n\n                                                                                                              Page\n\n\nINTRODUCTION .................................................................................................... 1\n\n\nRESULTS OF REVIEW.......................................................................................... 5\n\n\nSYSTEM SECURITY.............................................................................................. 5\n\n\n    \xe2\x80\xa2    NDNH Access for Individuals Receiving OASDI Only.................................. 5\n\n\n    \xe2\x80\xa2    NDNH Access for Representative Payees................................................... 6\n\n\n    \xe2\x80\xa2    Additional Access Tests............................................................................... 6\n\n\nRETURN ON INVESTMENT .................................................................................. 7\n\n\n    \xe2\x80\xa2    Impact of FOs Selected for OCSE Pilot on ROI........................................... 8\n\n\n    \xe2\x80\xa2    Overlap Between OCSE and SASRO Data ................................................. 9\n\n\nCONCLUSIONS AND RECOMMENDATIONS .................................................... 10\n\n\nAPPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Agency Comments\n\n\nAPPENDIX B \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)\n\x0c                                                                  Acronyms\n\nCR             Claims Representative\n\n\nCY             Calendar Year\n\n\nFO             Field Office\n\n\nMOA            Memorandum of Agreement\n\n\nNDNH           National Directory of New Hires\n\n\nOASDI          Old-Age, Survivors and Disability Insurance\n\n\nOCSE           Office of Child Support Enforcement\n\n\nOIG            Office of the Inspector General\n\n\nOMB            Office of Management and Budget\n\n\nOQA            Office of Quality Assurance and Performance Assessment\n\n\nROI            Return on Investment\n\n\nSASRO          Social Security Administration Access to State Records Online\n\n\nSSA            Social Security Administration\n\n\nSSI            Supplemental Security Income\n\n\nSSN            Social Security number\n\n\nUI             Unemployment Insurance\n\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)\n\x0c                                                                    Introduction\n\nOBJECTIVE\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\nassessment of the benefits and risks of using online, read-only access to the Office of\nChildhood Support Enforcement (OCSE) data was accurate and complete.\n\nBACKGROUND\nThe Old-Age, Survivors and Disability Insurance (OASDI) program provides retirement\nbenefits to insured individuals who have reached the minimum retirement age,\nsurvivors\xe2\x80\x99 benefits to dependents of insured wage earners in the event the family wage\nearner dies, and disability benefits to disabled wage earners and their families. The\nSupplemental Security Income (SSI) program provides income to financially needy\nindividuals who are aged, blind, or disabled.\n\nIn accordance with section 316 of the Personal Responsibility and Work Opportunity\nReconciliation Act of 1996 (Public Law 104-193), the United States Department of\nHealth and Human Services\xe2\x80\x99 OCSE developed a database to aid in enforcing child\nsupport orders. This database, known as the National Directory of New Hires (NDNH),\ncontains the following information:\n\n      1. \t A registry of all newly hired employees in the nation (a compilation of all \xe2\x80\x9cW-4s\xe2\x80\x9d\n           filed by employers).\n      2. Quarterly wage information.\n      3. Quarterly unemployment compensation information.\n\nSection 316 of Public Law 104-193 and the Privacy Act1 also provide for the disclosure\nof the information in the NDNH database to SSA for its use in preventing and reducing\npayment errors. SSA began using OCSE wage data in 1998 to conduct quarterly\ncomputer matches with its program benefit files. These quarterly matches gather data\nfrom all 50 States, the District of Columbia and Federal agencies. If there is a\ndiscrepancy detected during the matching operation, an alert is generated and\nprocessed in a SSA field office (FO). This matching operation identifies cases with new\nor increased wage and unemployment insurance (UI) income. SSA reported that the\nSeptember 1998 computer match with OCSE data prevented an estimated $6.5 million\nin future overpayments and detected $17.6 million in recoverable overpayments.\n\nAs a supplement to the quarterly OCSE wage matches, in April 2000, SSA started a\nproject to evaluate the cost effectiveness of having online access to the NDNH\ndatabase. Online access to NDNH data would enable SSA to assess factors important\nfor determining a SSI applicant\xe2\x80\x99s eligibility and payment amount before benefits are\n\n1\n    5 U.S.C. 552a(b)(3) and 552a(e)(4)(D)\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                           1\n\x0cpaid. Currently, SSA\xe2\x80\x99s means of wage and income verification are to rely on self-\nreporting by the SSI recipients and to conduct computer matches after individuals\nreceive SSI payments. Online access to OCSE data is expected to allow SSA to verify\nwages and other income prior to deciding whether an applicant is eligible for SSI\nbenefits. Verification of this information prior to making payments is expected to\nimprove payment accuracy for SSA, reducing both overpayments and underpayments\nto recipients. In addition, it is expected to reduce the number of overpayment recovery\nactivities SSA must process.\n\nOffice of Child Support Enforcement Pilot\n\nBetween May 8, 2000 and June 30, 2000, SSA conducted a pilot at 50 FOs which\nallowed SSA personnel to query the NDNH database to detect potential unstated\nincome. The purpose of the pilot was to test the access controls, monitor the impact the\nquery has on OCSE operations, and determine the impact of the query on SSA\xe2\x80\x99s\nprograms. A notice announcing the query was published in the Federal Register on\nSeptember 14, 1999.\n\nUnder the pilot, FO staff were allowed read-only query access to OCSE wage, new hire\nand unemployment information for those individuals who have filed claims for SSI\nbenefits. During the pilot, SSA claims representatives (CR) were told to query the\nNDNH on claims prior to making a decision regarding the claimant or recipient\xe2\x80\x99s\neligibility to SSI benefits. Specific situations where SSA would use the query are:\n\n\xe2\x80\xa2   prior to awarding SSI payments in certain circumstances;\n\n\xe2\x80\xa2   prior to releasing large underpayments; and\n\n\xe2\x80\xa2\t when an interview/review indicates that there may be unreported/undisclosed\n   income.\n\nAccess Security for Online OCSE Query\n\nAccess to SSA\xe2\x80\x99s automated system for processing SSI claims is controlled by TOP\nSECRET\xe2\x80\x94a commercially available product used by many private and public\norganizations to control access to computer software programs and data files. TOP\nSECRET uses a combination of personal identification numbers, passwords, profiles,\ndata sets, and transaction identifiers to control access. TOP SECRET enables SSA to\nrestrict user access to the minimum amount required to perform their job duties (least\nprivilege) and responsibilities. This provides the first line of defense to prevent\nunauthorized access and supports the Agency\xe2\x80\x99s compliance with the Privacy Act of\n1974.\n\nTo gain access to TOP SECRET, employees must complete a form requesting access\nand submit it to their security officer. The applications are reviewed, and approved\nusers are assigned a unique personal identification number, password and the systems\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                     2\n\x0cresources they can access. Over and above SSA\xe2\x80\x99s standard system security controls,\nSSA implemented a permission module to limit what data FO staff can access from the\nNDNH. SSA\xe2\x80\x99s access to NDNH data was designed to be limited to those individuals\nwho have a SSI business relationship with SSA. A SSI business relationship is defined\nas having a SSI application or payment issue pending with SSA. Access is restricted to\nonly those records in the NDNH where the Social Security number (SSN) in the NDNH\nmatches the SSN on a SSI claim or record. The mechanism that \xe2\x80\x9cchecks\xe2\x80\x9d the business\nrelationship is referred to as the permission module.\n\nFurther security measures were taken to ensure that SSA\xe2\x80\x99s access to NDNH data is\nread-only. While SSA\xe2\x80\x99s access is online in the respect that is it real-time data, SSA staff\nare not actually accessing the OCSE database in an interactive manner. Specifically,\nSSA staff cannot modify, manipulate, add to, or delete data from the OCSE database.\n\nData Obtained in an NDNH Query\n\nA response to a NDNH query is treated as a \xe2\x80\x9clead\xe2\x80\x9d by SSA\xe2\x80\x99s FO staff. SSA cannot rely\nsolely on the data obtained from a NDNH query to deny or decrease the payment\namount of a SSI recipient. When SSA receives data in response to a NDNH query,\nSSA verifies the information obtained with the recipient and/or the supplier of the\ninformation. This verification ensures that data used by SSA is accurate and that\nprivacy rights specified in the Computer Matching and Privacy Protection Act are\nrespected.\n\nThe query to NDNH has an audit trail associated with it, as is standard practice for SSA.\nThe audit trail provides for the collection and storage of usage data in SSA\xe2\x80\x99s records.\nThe information captured includes who requested the query; the office code; the SSN\naccessed; and the type of information accessed (i.e., wages, new hire, and\nunemployment).\n\nOCSE Data Privacy Concerns\n\nStaff from OCSE participated in the SSA workgroup that developed SSA\xe2\x80\x99s query access\nto OCSE data. During development of the query, OCSE staff expressed concerns\nabout using online access to facilitate the data exchange. Specifically, OCSE staff were\nconcerned that querying the data would compromise the confidentiality of the data and\ncreate a perception that OCSE data is no longer confidential among OCSE\xe2\x80\x99s customers.\nOCSE staff was concerned that this perception could, in turn, jeopardize OCSE\xe2\x80\x99s use of\nthe Federal Parent Locator Service\xe2\x80\x94which is mission critical for OCSE. The U.S.\nOffice of Management and Budget (OMB) also shared these concerns.\n\nTo address these privacy concerns, OCSE and SSA have taken steps to ensure that\nthe read-only query sustains the protections provided in all statutes relating to agency\nuse, collection and disclosure of personal information in accordance with the\nrequirements of the Privacy Act of 1974 (5 United States Code 552a).\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                      3\n\x0cSCOPE AND METHODOLOGY\nDue to concerns over SSA maintaining the privacy of OCSE data, the Office of the\nInspector General was requested to conduct an independent assessment of SSA\xe2\x80\x99s\nOCSE pilot evaluation. To accomplish our objective, we:\n\n\xe2\x80\xa2\t Interviewed staff from SSA\xe2\x80\x99s Office of Disclosure Policy, Office of Quality Assurance\n   and Performance Assessment (OQA), and Office of Systems.\n\n\xe2\x80\xa2\t Interviewed staff members from three SSA FOs who had access to both OCSE and\n   Social Security Administration Access to State Records Online (SASRO).\n\n\xe2\x80\xa2\t Conducted site visits at two SSA FOs to test access security over the OCSE pilot.\n   Specifically, we assessed whether staff could access the NDNH data who were not\n   supposed to be granted access. Also, we requested that CRs query the NDNH for\n   individuals who:\n   - received OASDI benefits, but do not have SSI claims;\n   -\t previously received SSI benefits, but were not receiving payments at the time of\n       our review;\n   - did not receive any type of Social Security benefits;\n   - are parents of SSI recipients, but do not have SSI claims of their own; and\n   -\t are representative payees for SSI recipients, but do not have SSI claims\n       themselves.\n\n\xe2\x80\xa2\t Reviewed relevant laws, regulations, SSA guidelines, and the Memorandum of\n   Agreement (MOA) on Privacy Act issues for electronic online single query access\n   between OCSE and SSA (SSA # 1079).\n\n\xe2\x80\xa2\t Reviewed SSA Office of Systems documentation detailing the security features in\n   place for the OCSE pilot.\n\n\xe2\x80\xa2   Reviewed SSA\xe2\x80\x99s pilot evaluation report.\n\nWe did not assess, and do not express an opinion on (1) SSA\xe2\x80\x99s nationwide use of the\nOCSE online query or (2) SSA\xe2\x80\x99s adherence to its Software Engineering Technology\nstandards and guidelines for developing the online query. Our review was not designed\nto identify all potential vulnerabilities. We limited our review to a general examination of\nthe return on investment (ROI) calculation and testing of specific security features in\nplace at the time of the OCSE pilot.\n\nWe performed our review in Boston, Massachusetts between May and December 2000.\nThe entities evaluated were SSA\xe2\x80\x99s FOs under the Deputy Commissioner for Operations;\nthe Office of Systems Development and Design under the Deputy Commissioner for\nSystems; and the OQA under the Deputy Commissioner for Finance, Assessment and\nManagement. This review was conducted in accordance with the Quality Standards for\nInspections issued by the President\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                      4\n\x0c                                                        Results of Review\n\nOur review tested specific features of system security over the OCSE query and\nassessed SSA\xe2\x80\x99s calculation of ROI from OCSE data access. We found weaknesses in\nSSA\xe2\x80\x99s system security access controls that were contrary to established guidelines.\nAlso, we have concerns regarding SSA\xe2\x80\x99s calculation of ROI. However, these\nweaknesses and concerns do not present barriers to SSA\xe2\x80\x99s national rollout of the online\nOCSE query.\n\nSYSTEM SECURITY\nWe found two vulnerabilities with SSA\xe2\x80\x99s OCSE permission module which was\ndeveloped to ensure that SSA staff could only access records with an SSI business\nrelationship. Contrary to access specifications, our tests showed that FO personnel\ncould:\n\n\xe2\x80\xa2\t Gain query access for individuals who were not receiving SSI benefits, but who were\n   receiving benefits from SSA under a separate entitlement program. SSA corrected\n   this issue as soon as we brought it to their attention.\n\n\xe2\x80\xa2\t Gain query access for individuals who were representative payees for SSI\n   recipients, but who did not receive SSI benefits themselves. When we brought this\n   to their attention, SSA staff reported that they would take corrective action to\n   implement a system modification prior to the national rollout of the online query.\n\nNDNH Access for Individuals Receiving OASDI Only\n\nOur tests showed that CRs could, in violation of systems security requirements, gain\nquery access for individuals receiving OASDI benefits only. After we advised SSA staff\nof the problem, they reported that they corrected the weakness immediately. Our\nfollow-up tests indicated that SSA did correct this weakness.\n\nDuring a site visit at 1 of the 50 pilot FOs, we provided a CR with the SSNs of\n5 beneficiaries who were receiving OASDI benefits, but who did not receive SSI\npayments. Contrary to program guidelines, the CR was able to obtain NDNH data from\nthe OCSE query for these 5 beneficiaries. Under the MOA and security features\nestablished, the CR should not have been able to obtain this information. We notified\nSSA of this weakness in the OCSE pilot query system and provided the Office of\nSystems Design and Development staff with the 5 SSNs used in our tests. SSA staff\nagreed that the CR should not have had access to the data since the system had been\nspecifically designed to preclude access to the records of beneficiaries only receiving\nOASDI benefits.\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                   5\n\x0cSSA staff explained that, since 1985, the \xe2\x80\x9cWhere Am I\xe2\x80\x9d file contains records of\nindividuals receiving OASDI and/or SSI benefits. The \xe2\x80\x9cWhere Am I\xe2\x80\x9d file is read by using\na SSA standard permission module. SSA reported that the access weakness we\nidentified occurred because the permission module misinterpreted a \xe2\x80\x9cpresent\xe2\x80\x9d return\ncode as acceptable, when it should have been looking for a code representing \xe2\x80\x9cpresent\nand SSI.\xe2\x80\x9d SSA staff reported that the permission module was corrected.\n\nAfter SSA reported to us that this change was made, we conducted further tests to\ndetermine whether the corrective action was implemented. In a subsequent site visit to\na different FO, we had a CR attempt to access the OCSE query system for 3 OASDI\nbeneficiaries who did not have a SSI business relationship with SSA. Our attempt failed\nand we concluded that SSA staff had adjusted the system as they had reported to us.\nBased on our follow-up test, NDNH records could no longer be accessed for OASDI\nonly beneficiaries and this system weakness appears to have been corrected.\n\nNDNH Access for Representative Payees\n\nIn certain situations, SSA makes payments to representative payees for the benefit of\nSSI recipients\xe2\x80\x94usually because the recipients are incapable of managing their own\nfunds. In such cases, the representative payee may also be receiving SSI payments,\nthereby having his or her own business relationship with SSA. However, there are also\nmany situations where a representative payee does not have any other business with\nSSA other than serving as a representative payee.\n\nDuring our site visit to a FO involved in the OCSE pilot, we had a CR attempt to access\nNDNH records for a representative payee who did not have any other SSI business\nrelationship with SSA. Based on SSA\xe2\x80\x99s system access security, FO staff should not be\nable to access NDNH records for representative payees who do not also have their own\nSSI claims. However, our tests found that NDNH queries were available to FO staff for\nthis individual.\n\nWe notified SSA of this weakness in the OCSE pilot query system and provided the\nOffice of Systems Design and Development staff with the SSN used in our test. SSA\nstaff agreed that the CR should not have had access to the data since the system had\nbeen designed to preclude access to the records of beneficiaries who did not have their\nown SSI claims. SSA staff advised us in March 2001 that the needed modification to\nprohibit access to records of these representative payees was implemented. Also, SSA\nwill continue to monitor systems security and the use of the OCSE query.\n\nAdditional Access Tests\n\nIn addition to those tests described above, we also conducted access tests for which\nthe results were in agreement with SSA\xe2\x80\x99s security design. For example, our tests of\naccess to NDNH data showed that FO personnel could:\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                  6\n\x0c\xe2\x80\xa2\t Gain query access for individuals with terminated SSI records. According to SSA\n   staff, this access is allowed because many people receive SSI payments, lose SSI\n   eligibility, and later receive benefits again. Also, even though a person is not\n   receiving SSI payments at a point in time, eligibility and payments during a prior\n   period may be subject to review and revision, and access to the OCSE database\n   could facilitate this review. Further, if a person applies for reinstatement of benefits,\n   the reinstatement could be impeded in some cases if the permission module did not\n   allow immediate access to the NDNH databases.\n\n\xe2\x80\xa2\t Not gain query access for individuals with no SSA involvement (no OASDI or SSI\n   claims). This is appropriate since it protects the privacy of individuals who are in the\n   OCSE database but who do not have a business relationship with SSA.\n\n\xe2\x80\xa2\t Not gain query access unless their individual-specific profile was authorized under\n   SSA\xe2\x80\x99s access restriction software.\n\n\xe2\x80\xa2\t Access records for parents of SSI recipients, regardless of whether the parent also\n   had a SSI claim. SSA staff reported that this was necessary to ensure that any\n   income deemed2 from the parent to the child recipient was identified through the\n   OCSE data.\n\nRETURN ON INVESTMENT\nThe majority of SSI overpayments stem from recipients\xe2\x80\x99 failure to report wages or\nchanges in the factors that can affect eligibility or payment amount. The leading source\nof payment error in the SSI program is undisclosed wages. If an applicant alleges no\nearnings, eligibility and payment amounts are determined on that basis. Of the SSI\npayments made for fiscal year 1996, an estimated $365 million in overpayments were\nassociated with unreported or underreported wages earned by recipients or the\nrecipients\xe2\x80\x99 deemors. Based on its OCSE pilot, SSA estimates that when pilot data is\nused to verify income on a pre-benefit payment basis, SSA realizes an SSI\noverpayment improvement of $30.8 million for a ROI ratio of 3.6 to 1.\n\nDuring the course of our evaluation, several issues came to our attention regarding the\nROI portion of SSA\xe2\x80\x99s evaluation of the OCSE pilot. At the time of our evaluation of the\npilot, SSA was planning a second review to fully assess the costs and benefits of\nnationwide OCSE online access. This second study by OQA was to be used to\ndetermine whether the OCSE/SSA data exchange should continue on an ongoing basis.\n\n\n\n\n2\n The term deeming identifies the process of considering another person\xe2\x80\x99s income and resources to be\navailable for meeting an SSI claimant\xe2\x80\x99s basic needs of food, clothing, and shelter.\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                                 7\n\x0cImpact of FOs Selected for OCSE Pilot on ROI\n\nAccording to SSA staff, the FOs involved in the OCSE pilot were not selected randomly.\nTherefore, SSA was not able to make a statistical projection based on the pilot results.\nHowever, even though SSA\xe2\x80\x99s report states that the FOs \xe2\x80\x9cvolunteered to participate\xe2\x80\x9d in\nthe OCSE pilot and were therefore not randomly selected, it does not identify the ROI\nas a non-statistical estimate.\n\nAlthough 5 FOs were selected from each of the 10 SSA regions for a total of 50 OCSE\npilot sites, these offices only represent 36 of the 50 States plus the District of Columbia.\nThe remaining 14 States are not represented in the OCSE pilot. Also, in SSA\xe2\x80\x99s Atlanta\nregion, only 2 of the 8 States (25 percent) for that region were represented in the pilot;\nwhereas 4 regions included at least one FO from each of its designated States. (See\nthe chart below).\n\n\n                                              OCSE Pilot Site Offices by SSA Region\n\n                      7\n\n\n                      6\n\n\n                      5\n   Number of States\n\n\n\n\n                      4\n\n\n                      3\n\n\n                      2\n\n\n                      1\n\n\n                      0\n                                                                  Denver\n\n\n\n                                                                             Kansas City\n\n\n\n                                                                                           New York\n                          Atlanta\n\n\n\n                                     Boston\n\n\n\n                                               Chicago\n\n\n\n\n                                                                                                                     Franscisco\n\n\n\n                                                                                                                                  Seattle\n                                                                                                      Philadelphia\n                                                         Dallas\n\n\n\n\n                                                                                                                        San\n\n\n\n\n                                                                       Regions\n\n\n                                    States included in OCSE pilot          States not inlcuded in OCSE Pilot\n\n\nWe consider random sampling to be the best way of providing a reasonably accurate\nprojection of cost savings; and, if circumstances prevent a statistical estimate, it should\nbe disclosed. If it is not disclosed, there is a risk that inferences about the ROI may be\nmisinterpreted as being representative of the entire universe.\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                                                                       8\n\x0cAccording to SSA staff, the OCSE pilot sites were not randomly selected for the ROI\ncalculation because initially the OCSE pilot was only set to evaluate the security over\nthe online query. Therefore, the 50 FOs were already selected when OMB later\nrequested an ROI analysis.\n\nOverlap Between OCSE and SASRO Data\n\nIn addition to OCSE data, SSA obtains wage, unemployment, and other State data\nthrough a data access system known as SASRO.3 Under SASRO, SSA negotiates\nonline access to data, maintained at the state level, from human services, vital statistics,\nUI, and workers\xe2\x80\x99 compensation agencies. Many SSA FOs have and use SASRO,\nincluding some of the same FOs selected for the OCSE pilot. Since SASRO provides\nsome of the same information as the OCSE query, any savings occurring from the\nOCSE pilot could possibly have been obtained online through SASRO. Such a\npossibility was not built into SSA\xe2\x80\x99s ROI calculations and, as a result, those estimates\ncould be overstated or duplicative of savings realized by SSA as a result of SASRO.\n\nSSA staff do not believe that the ROI developed during the pilot was inflated since the\nROI was based on a comparison between (1) the information found through the OCSE\nquery and (2) the information SSA would have had without the OCSE query (which may\nhave included SASRO data).\n\n\n\n\n3\n As of September 2000, SSA had SASRO connections with 66 agencies in 37 States; and 22 of these\nconnections are for wage and unemployment information.\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                             9\n\x0c                                                     Conclusions and\n                                                    Recommendations\nOur review did not identify any issues that would cause us to recommend against SSA\xe2\x80\x99s\nimplementation of the online query in all its FOs. However, during our limited testing of\nSSA\xe2\x80\x99s system security, we identified security weaknesses, which indicated that SSA\nhad not conducted sufficient testing prior to implementing the pilot. Also, we have some\ngeneral concerns regarding SSA\xe2\x80\x99s ROI calculation. In response to our findings, SSA\ninitiated prompt corrective actions to address the security weaknesses we identified.\nAlso, SSA had planned to perform an additional study in 2001 to assess the costs and\nbenefits of nationwide access to the online OCSE query.\n\nWe recommend that SSA:\n\n1. \t continue to monitor and test the security of the OCSE query during the national\n     rollout to ensure access weaknesses do not exist; and\n\n2. \t ensure that the savings reported for SSA\xe2\x80\x99s initiatives for online access under\n     SASRO are factored into its planned ROI analysis of nationwide access to OCSE\n     databases.\n\nAGENCY COMMENTS\nIn response to our draft report, SSA agreed with our first recommendation. With regard\nto our second recommendation, SSA no longer plans to conduct a study to assess the\ncost and benefits of nationwide online OCSE access.\n\nOIG RESPONSE\nSince SSA no longer plans to conduct a nationwide ROI study, when disclosing the\nresults of the ROI based on the pilot, SSA should note that the ROI is not a statistical\nprojection and may duplicate reported savings from SASRO. (See Appendix A for\nSSA\xe2\x80\x99s comments.)\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                      10\n\x0c                                             Appendices\n\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)\n\x0c                                                        Appendix A\n\n\nAgency Comments\n\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)\n\x0c                                                           ~SF.c&\n                                                       ~\n\n                                                       \\J\'ii$;lSW\n\n                                         SOCIAL             SECURITY\n\n\nMEMORANDUM                                                                      30125-24-620\n\n\n\n\nDate       May 3,2001                                                            ReferTo: SJI-3\n\nTo         JamesG. Ruse, Jr.\n           Inspector General         /\n                                              I\n                                                  1\nFrom\'      Larry G. Massanari                      1\n           Acting Commissioner of\n\nSubject:   Office of the                  1(OIG) Draft Evaluation Report, "Review of the Social Security\n           Administration\'s Office of Child Support Enforcement Pilot Evaluation" (A-OI-00-20006)\xc2\xad\n           INFORMA TION\n\n\n\n           Our comments to the subject report are attached. Staff questions may be directed to\n           OdessaJ.Woods at extension 50378.\n\n           Attachment:\n           SSA Response\n\x0cCOMMENTS OF THE SOCIAL SECURITY ADMINISTRATION (SSA) ON\nTHE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT EVALUATION\nREPORT: REVIEW OF THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nOFFICE OF CHILD SUPPORT ENFORCEMENT PILOT EVALUATION\n(A-01-00-20006)\n\n\nWe appreciate the opportunity to comment on the draft report. Following are our comments on\nthe recommendations.\n\nRecommendation 1\n\nContinue to monitor and test the security of the Office of Child Support Enforcement (OCSE)\nquery during the national rollout to ensure access weaknesses do not exist.\n\nComment\n\nWe agree. We continue to monitor the security of the OCSE query. To date, no infractions or\nproblems have been reported.\n\nRecommendation 2\n\nEnsure that the savings reported for SSA\xe2\x80\x99s initiatives for online access under SSA\xe2\x80\x99s Access to\nState Records Online (SASRO) are factored into its planned return on investment (ROI) analysis\nof nationwide access to OCSE databases.\n\nComment\n\nSSA has decided that a second study to assess the cost and benefits of nationwide online OCSE\naccess is not needed.\n\nDuring the pilot, SSA discussed the possible need for a second study to fully assess the costs and\nbenefits of nationwide OCSE online access. However, we determined that the pilot results were\nsufficient to clearly demonstrate the benefits of online OCSE access. Thus, nationwide access to\nthe online OCSE query was implemented in the first quarter of calendar year 2001.\n\nAs indicated in the draft report, the Agency does not believe that the ROI developed during the\npilot was inflated since the ROI was based on a comparison between: 1) the information found\nthrough the OCSE query; and 2) the information SSA would have had without the OCSE query\n(which may have included SASRO data). Also, as indicated in the report, the Agency believes\nthe impact of SASRO wage data in the pilot study was negligible because the overlap (offices\nwith OCSE and SASRO wage queries) was minimal. Although it is true that a statistical\nprojection of ROI could not be made based on the pilot results (because the FOs involved were\nnot randomly selected), the results clearly demonstrated the benefits of online OCSE access.\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)                                          A-2\n\x0c                                                                       Appendix B\n\nOIG Contacts and Staff Acknowledgments\n\n    Rona Rustigian, Acting Director, Disability Program Audit Division, (617) 565-1819\n\n    Judith Oliveira, Acting Deputy Director, (617) 565-1765\n\nFor additional copies of this report, please contact Office of the Inspector General\xe2\x80\x99s\nPublic Affairs Specialist at (410) 966-5998. Refer to Common Identification Number\nA-01-00-20006.\n\n\n\n\nReview of SSA\xe2\x80\x99s OCSE Pilot Evaluation (A-01-00-20006)\n\x0c                           DISTRIBUTION SCHEDULE\n\n\n                                                                             No. of\n                                                                            Copies\n\nCommissioner of Social Security\n                                                 1\nManagement Analysis and Audit Program Support Staff, OFAM\n                      10\nInspector General\n                                                               1\nAssistant Inspector General for Investigations\n                                  1\nAssistant Inspector General for Executive Operations\n                            3\nAssistant Inspector General for Audit\n                                           1\nDeputy Assistant Inspector General for Audit\n                                    1\n Director, Systems Audit Division\n                                               1\n Director, Financial Management and Performance Monitoring Audit Division        1\n Director, Operational Audit Division                                            1\n Director, Disability Program Audit Division                                     1\n Director, Program Benefits Audit Division                                       1\n Director, General Management Audit Division                                     1\nIssue Area Team Leaders\n                                                        25\nIncome Maintenance Branch, Office of Management and Budget\n                      1\nChairman, Committee on Ways and Means\n                                           1\nRanking Minority Member, Committee on Ways and Means\n                            1\nChief of Staff, Committee on Ways and Means\n                                     1\nChairman, Subcommittee on Social Security\n                                       2\nRanking Minority Member, Subcommittee on Social Security\n                        1\nMajority Staff Director, Subcommittee on Social Security\n                        2\nMinority Staff Director, Subcommittee on Social Security\n                        2\nChairman, Subcommittee on Human Resources\n                                       1\nRanking Minority Member, Subcommittee on Human Resources\n                        1\nChairman, Committee on Budget, House of Representatives\n                         1\nRanking Minority Member, Committee on Budget, House of Representatives           1\nChairman, Committee on Government Reform and Oversight                           1\nRanking Minority Member, Committee on Government Reform and Oversight            1\nChairman, Committee on Governmental Affairs                                      1\nRanking Minority Member, Committee on Governmental Affairs                       1\n\x0cChairman, Committee on Appropriations, House of Representatives               1\nRanking Minority Member, Committee on Appropriations,\n House of Representatives                                                    1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations,\n House of Representatives                                                     1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n House of Representatives                                                     1\nChairman, Committee on Appropriations, U.S. Senate                            1\nRanking Minority Member, Committee on Appropriations, U.S. Senate             1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations, U.S. Senate               1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n U.S. Senate                                                                  1\nChairman, Committee on Finance                                                1\nRanking Minority Member, Committee on Finance                                 1\nChairman, Subcommittee on Social Security and Family Policy                   1\nRanking Minority Member, Subcommittee on Social Security and Family Policy    1\nChairman, Senate Special Committee on Aging                                   1\nRanking Minority Member, Senate Special Committee on Aging                    1\nVice Chairman, Subcommittee on Government Management Information\n  and Technology                                                              1\nPresident, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nTreasurer, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nSocial Security Advisory Board                                                1\nAFGE General Committee                                                        9\nPresident, Federal Managers Association                                       1\nRegional Public Affairs Officer                                               1\n\n\nTotal                                                                        97\n\x0c                   Overview of the Office of the Inspector General\n\n\n                                         Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of the\nSocial Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to ensure that\nprogram objectives are achieved effectively and efficiently. Financial audits, required by the\nChief Financial Officers Act of 1990, assess whether SSA\xe2\x80\x99s financial statements fairly present\nthe Agency\xe2\x80\x99s financial position, results of operations, and cash flow. Performance audits review\nthe economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs. OA also conducts short-term\nmanagement and program evaluations focused on issues of concern to SSA, Congress, and the\ngeneral public. Evaluations often focus on identifying and recommending ways to prevent and\nminimize program fraud and inefficiency.\n\n                                   Office of Executive Operations\nOEO supports the OIG by providing information resource management; systems security; and the\ncoordination of budget, procurement, telecommunications, facilities and equipment, and human\nresources. In addition, this office is the focal point for the OIG\xe2\x80\x99s strategic planning function and\nthe development and implementation of performance measures required by the Government\nPerformance and Results Act. OEO is also responsible for performing internal reviews to ensure\nthat OIG offices nationwide hold themselves to the same rigorous standards that we expect from\nSSA, as well as conducting investigations of OIG employees, when necessary. Finally, OEO\nadministers OIG\xe2\x80\x99s public affairs, media, and interagency activities, coordinates responses to\nCongressional requests for information, and also communicates OIG\xe2\x80\x99s planned and current\nactivities and their results to the Commissioner and Congress.\n\n\n                                    Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related to fraud,\nwaste, abuse, and mismanagement of SSA programs and operations. This includes wrongdoing\nby applicants, beneficiaries, contractors, physicians, interpreters, representative payees, third\nparties, and by SSA employees in the performance of their duties. OI also conducts joint\ninvestigations with other Federal, State, and local law enforcement agencies.\n\n                              Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the Inspector General\non various matters, including: 1) statutes, regulations, legislation, and policy directives\ngoverning the administration of SSA\xe2\x80\x99s programs; 2) investigative procedures and techniques; and\n3) legal implications and conclusions to be drawn from audit and investigative material produced\nby the OIG. The Counsel\xe2\x80\x99s office also administers the civil monetary penalty program.\n\x0c'